Setting up LDAPS on Windows 2008


I followed the directions here: to set up LDAPS.  I used a certificate purchased from GoDaddy.  After rebooting, I cannot get the connection to work using ldp.exe.  I'm thinking maybe my certificate was configured incorrectly?  

The name of the server is DNSSrvr1.  The DN for the server is CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC=com.  I set up the request.inf file as follows:

;----------------- request.inf -----------------


Signature="$Windows NT$


Subject = "CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC=com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


The certificate came back from GoDaddy for "DNSSrvr1", not the entire DN, could that be an issue?

I put the certificate in the Local Computer Personal container.

When I run the ldp.exe utility, entering either the name of the server or the IP of the server, trying them in combination with both port 636 and 3269, I get Error <0x51>: Fail to connect to DNSSrvr1.

Any ideas?  I'm not quite sure where to go from here.  I hate to go through the process of re-requesting the certificate if that isn't the issue.

Thank you,
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
For your subject CN, instead of the hostname use the FQDN.
You don't want your DC cert to be exportable, but that shouldn't cause the issue - just a recommendation.
You will want to get a "SAN" cert from GoDaddy and include the info from the last line in that - GoDaddy has them for under 100 bucks.  You want the following info:
server1.domain.local (same as subject - include this as first entry)
server1 (if hostname is allowed by commercial CA) (if IP address is public, or if internal IP is allowed by CA - uncommon)

Here's the .inf that we use here for our LDAP certs.
 To create CSR file run this from cmd
 certreq -new policy.inf YourServer.csr

 If issuing from your own internal CA run this from cmd
 certreq -submit -config CASERVER.DNS.NAME\CAName YourServer.csr YourServer.cer

Signature="$Windows NT$"

Subject="CN=DC1.YourDomain.local"  ; enter FQDN here - must be FQDN not another name
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only

OID= ; Server Authentication
OID= ; Client Authentication
; OID= ; Smart Card Logon - include even if you don't use SC right now ; comment out if going to a commercial CA - include if internally issued

; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit  line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local&dns=server1&dns=ldap.domain.local&dns=server1&ipaddress=" ; do not include if submitting to commercial CA - purchase a SAN cert and fill in during the appropriate step
ParanormasticCryptographic EngineerCommented:

Also, make sure you are 1) running a current version of LDP, which you can tell if 2) you enabled the SSL checkbox in the connect box (appears under "connectionless").
clarkincitAuthor Commented:
Hello.  This is actually the article I used to set this up.  I also tried the SSL checkbox.  I get the following error with that:
ld = ldap_sslinit("DNSSrvr1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DNSSrvr1.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ParanormasticCryptographic EngineerCommented:
Try this in ldp:
Connection - Bind - enter your username/password/domain
Connection - Connect - DNSSvr1/636/ do not check connectionless / do check SSL
clarkincitAuthor Commented:
Still a no go.  I can connect if I use port 389 (non-SSL), but otherwise, I still get the same error.
ParanormasticCryptographic EngineerCommented:
Contact godaddy and ask to upgrade the order from the standard SSL to a SAN cert - I think they refund completely within 14 days if memory serves.
clarkincitAuthor Commented:
Thank you.  I have submitted a request for this.  I will update once I get a resolution from them.
clarkincitAuthor Commented:
Fantastic!  This fixed it.  Thank you so much for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.